The EFF Gift Guide: What’s Creeping Us Out

EFF doesn’t endorse products. But as Internet-connected products proliferate, ads for them bombard holiday shoppers with promises of a more streamlined life. And they do so without always divulging that they’re tracking you more than a jolly fat man who sees when you’re sleeping and knows when you’re awake.

So, we are taking a different approach to the holiday gift guide: highlighting products that raise red flags for us, as privacy-conscious digital advocates. Here are some gifts being pushed this year that, from a privacy or security standpoint, are on our naughty list.

Facebook’s Portal

You’ve probably seen the ads for Facebook’s in-home camera, Portal, which it’s advertising as a way to keep in touch via video call with friends and loved ones wherever they are. “If you can’t be there, feel there,” is the maudlin tagline for the camera—which can follow you around the room during video-conferences.

Facebook has made some nods to privacy with this product, namely including a camera cover and a promise that it’s not using the company’s facial recognition technology to identify you. And Portal itself doesn’t serve you ads.

Still, Facebook has already had to change its tune about the extent to which it uses Portal data for advertising, first saying that no data would be used to serve Facebook users ads, and then being forced to clarify.

Data from Portal does, in fact, inform ads. This includes “the fact that you logged into your account or how often you use a feature or app.” What does that mean? Facebook offers the example that if you make a lot of video calls, you may see ads related to video calling.

It’s also collecting everything that Messenger collects, including “usage data such as length of calls, frequency of calls,” along with “aggregate usage” of ads, which could also inform your advertising profile.

Facebook has a history of changing the terms of how it uses your data, which is worth keeping in mind as you consider giving it a place in your home. The company’s practices have drawn its fair share of trust issues this year, to say the least, and have shown a certain disregard for notifying people of how it’s using their data.

The Portal name suggests opening a door; anyone considering it should remember that you’re not only opening up lines of communication, but also a connection between Facebook and your home.

Smart Home Hubs From Google, Amazon and Others

Alexa, who else are you talking to? Home hubs in general deserve a critical eye, given the wealth of data they collect, the frequency with which they collect it, and their intimate placement in our lives.

Smart home hubs, including those from Google and Amazon, reserve the right to share data collected from their products for advertising, as well as with companies who make the apps or skills you install on those devices. In Google’s case, it will use data from Home to “show you ads that are relevant and useful.” In Amazon’s case, while it also won’t share actual voice recordings with advertisers, it could share the content of requests for information such as ZIP codes, the New York Times reported.

Law enforcement is also certainly not shy about asking for data from smart home appliances as part of their investigations. Police have asked for data from smart home hubs, fitness trackers, and even pacemakers, The Washington Post reported.

Even seemingly benign data, particularly when collected frequently, can tell someone a lot about what you do. The Seventh Circuit ruled earlier this year that the Fourth Amendment specifically applies to smart meters—which measure electricity use frequently throughout the day—in part because the “ever-accelerating pace of technological development carries serious privacy implications.”

Verizon Phones with AppFlash Spyware

The company uses the information collected from the app to track what you’ve installed on your device and uses that intel to serve you ads based on what apps you’ve put on your phone.

Verizon does ask for users’ permission to collect information. What it doesn’t make clear, even in its own FAQ about the product, is how much information it’s collecting or how it’s going to use it. As we said in April 2017—and continue to say now—this is a problem. The apps people download onto their phones can reveal a lot of deeply personal information. Knowing that you’ve download, for example, a fertility app, could cause spark some awkward conversations when a diaper coupon pops up in front of someone else.

In addition to privacy, we’re also concerned that broad data collection makes the app—and, by extension, you—a major target for hackers.

Phone owners can disable, but not delete, this app but that requires a) heading into your phone’s settings and b) knowing what it does in the first place. Consider this a warning.

The Elf on the Shelf

We’re getting into killjoy territory now, but winter is a time for cold truths: the phenomenon of the Elf on the Shelf—or its Hanukkah counterpart, the Mensch on a Bench— is whimsical, yet deeply creepy. For those who don’t know, these characters are supposed to be placed around the house to “monitor” children’s behavior to see if they’ve been good. The doll is to be moved around at random every day, to keep the kids on their toes.

While there’s nothing invasive about the products themselves—they’re dumb toys in multiple senses of the word—the ideas they set down are troubling. Making surveillance part of a holiday tradition is essentially setting up a plush police state in your own home. We’re never on board with normalizing the idea that constant surveillance is okay, even if it is a good opportunity to take a lot of Instagram pictures.

But What About…?

There are many, many more products that we could talk about here: smart toys, baby monitors, fitness trackers and more. Overall, there are a few things to think about when you’re looking at buying a smart gift but trying to balance privacy.

Consider carefully what features a product has, and what that means in terms of data collection. Anything with a microphone, for example, can record what you’re saying—and may record something you don’t expect it do, as was the case for one Amazon Echo owner this May. Opting for a smart vacuum also means letting a company like iRobot, maker of the Roomba, map out your house.

Second, use your settings. A new smart device will probably have a lot of sharing options on by default, and set-up is a good time to go through the settings and figure out what you actually want to be exposing to companies and others.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020. The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for...

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that...

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those...

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s...

In back-to-back hearings last week, the House and the Senate discussed what, if anything, Congress should do about online privacy. Sounds fine—until you see who they invited. Congress should be seeking out multiple, diverse perspectives. But last week, both chambers largely invited industry advocates, eager to...

San Francisco - Technology is supposed to make our lives better, yet many big companies have products with big security and privacy holes that disrespect user control and put us all at risk. The Electronic Frontier Foundation (EFF) is launching a new project called “Fix It Already!” demanding repair...

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on...

Update, 2:35 p.m.: The coalition of groups behind Privacy for All has grown since time of publishing. This update reflects the latest count. Privacy is a right. It is past time for California to ensure that the companies using secretive practices to make money off of our personal information treat...